blockhole'd IP receiving referral?
niobos at dest-unreach.be
Sun Dec 20 10:22:39 UTC 2009
On 19 Dec 2009, at 16:11, Fr34k wrote:
> Chris, I believe you are correct. That is, "blackhole applies to the
> sending of queries in addition to the receiving of queries".
> Let me explain.
> I discovered this the hard way. I had a /24 in the blackhole because
> it contained abusive clients. Within this /24 sat two legitimate
> authoritative name servers (ANS). Our clients could not get
> responses from these ANS servers because they were within the /24
> The solution was to make an exception for these two ANS servers.
> This is fine in that the blackhole function is doing its job well!
> However, we have a few /16s among our blackhole networks and to
> manage an exception list of legitimate ANS servers contained within
> will be unmanageable.
> So, how to stop the abuse without impacting legitimate client queries?
> I think the solution here would be to permit "allow-recursion
> ( mynets;)" clients to query and get responses from "blackhole
> ( badnets; }" networks in some way.
> Does such a solution, or equivalent, exist? If so, can someone share?
I haven't tested this, but I think this might do what you ask for:
Remove the blackhole-statements from the config; instead add these
rules to iptables, ipfw or equivalent:
* Allow "related or established" packets to the DNS port
* Drop incomming DNS-requests from the blackhole nets
This will basically allow replies, but drop requests.
More information about the bind-users